FTP problem: SSL session reuse required

Help and Support
1

Hi! I am trying to setup a private ftp-based backup solution, that has to be secure and reliable. After struggling with various programs, I found rclone, which seems like the only tool that coud work for me. But I'm having some issues with it.

What is the problem you are having with rclone?

FTP with explicit TLS does not seem to work. With the 'dump bodies' option it seems the problem is lack of SSL session reuse support on rclone. Am I right?
Is there a way to solve this, or do I have to wait for the feature to be implemented (or search for another tool)?
Strangely I couldn't find anything on this issue in the internet, which suggests only I am having it.

What is your rclone version (output from rclone version)

1.55.1 (latest). Also tried 1.53 (latest beta) with same result.

Which OS you are using and how many bits (eg Windows 7, 64 bit)

WIndows 10 64-bit

Which cloud storage system are you using? (eg Google Drive)

FTP

The command you were trying to run (eg rclone copy /tmp remote:tmp)

& "C:\PProg\Dysk\rclone\rclone.exe" lsf "enklawa:/test_dir/" -vv --dump bodies --retries 1 --low-level-retries 1 --config="$PSScriptRoot\rclone.config" --password-command="powershell -NoProfile -File $PSScriptRoot\rclone_pass.ps1"

Post your config file

Cannot post it, because my config is encrypted. I am pasting the configuration of my server printed by the config command.

--------------------
[enklawa]
type = ftp
host = *PRIVATE*
user = *PRIVATE*
port = *PRIVATE
pass = *** ENCRYPTED ***
explicit_tls = true
no_check_certificate = true
--------------------

A log from the command with the -vv flag

2021/06/15 19:22:25 DEBUG : rclone: Version "v1.55.1" starting with parameters ["C:\\pprog\\Dysk\\rclone\\rclone.exe" "lsf" "enklawa:/test_dir/" "-vv" "--dump" "bodies" "--retries" 
"1" "--low-level-retries" "1" "--config=D:\\BackupScript\\rclone\\rclone.config" "--password-command=powershell -NoProfile -File D:\\BackupScript\\rclone\\rclone_pass.ps1"]
2021/06/15 19:22:25 DEBUG : Creating backend with remote "enklawa:/test_dir/"
2021/06/15 19:22:25 DEBUG : ftp://*PRIVATE*/test_dir: Connecting to FTP server
2021/06/15 19:22:25 DEBUG : FTP Rx: "220 Welcome to Backup server 1."
2021/06/15 19:22:25 DEBUG : FTP Tx: "AUTH TLS"
2021/06/15 19:22:25 DEBUG : FTP Rx: "234 Proceed with negotiation."
2021/06/15 19:22:25 DEBUG : FTP Tx: "USER *PRIVATE*"
2021/06/15 19:22:25 DEBUG : FTP Rx: "331 Please specify the password."
2021/06/15 19:22:25 DEBUG : FTP Tx: PASS *****
2021/06/15 19:22:26 DEBUG : FTP Rx: "230 Login successful."
2021/06/15 19:22:26 DEBUG : FTP Tx: "FEAT"
2021/06/15 19:22:26 DEBUG : FTP Rx: "211-Features:"
2021/06/15 19:22:26 DEBUG : FTP Rx: " AUTH TLS"
2021/06/15 19:22:26 DEBUG : FTP Rx: " UTF8"
2021/06/15 19:22:26 DEBUG : FTP Rx: " EPRT"
2021/06/15 19:22:26 DEBUG : FTP Rx: " EPSV"
2021/06/15 19:22:26 DEBUG : FTP Rx: " MDTM"
2021/06/15 19:22:26 DEBUG : FTP Rx: " PASV"
2021/06/15 19:22:26 DEBUG : FTP Rx: " PBSZ"
2021/06/15 19:22:26 DEBUG : FTP Rx: " PROT"
2021/06/15 19:22:26 DEBUG : FTP Rx: " REST STREAM"
2021/06/15 19:22:26 DEBUG : FTP Rx: " SIZE"
2021/06/15 19:22:26 DEBUG : FTP Rx: " TVFS"
2021/06/15 19:22:26 DEBUG : FTP Rx: "211 End"
2021/06/15 19:22:26 DEBUG : FTP Tx: "TYPE I"
2021/06/15 19:22:26 DEBUG : FTP Rx: "200 Switching to Binary mode."
2021/06/15 19:22:26 DEBUG : FTP Tx: "OPTS UTF8 ON"
2021/06/15 19:22:26 DEBUG : FTP Rx: "200 Always in UTF8 mode."
2021/06/15 19:22:26 DEBUG : FTP Tx: "PBSZ 0"
2021/06/15 19:22:26 DEBUG : FTP Rx: "200 PBSZ set to 0."
2021/06/15 19:22:26 DEBUG : FTP Tx: "PROT P"
2021/06/15 19:22:26 DEBUG : FTP Rx: "200 PROT now Private."
2021/06/15 19:22:26 DEBUG : FTP Tx: "EPSV"
2021/06/15 19:22:26 DEBUG : FTP Rx: "229 Entering Extended Passive Mode (|||6697|)"
2021/06/15 19:22:26 DEBUG : FTP Tx: "LIST /test_dir"
2021/06/15 19:22:26 DEBUG : FTP Rx: "150 Here comes the directory listing."
2021/06/15 19:22:26 DEBUG : FTP Rx: "522 SSL connection failed: session reuse required"
2021/06/15 19:22:26 DEBUG : FTP Tx: "EPSV"
2021/06/15 19:22:26 DEBUG : FTP Tx: "PASV"
2021/06/15 19:22:26 DEBUG : FTP Tx: "NOOP"
2021/06/15 19:22:26 DEBUG : ftp://*PRIVATE*/test_dir: Connection failed, closing: EOF
2021/06/15 19:22:26 DEBUG : FTP Tx: "QUIT"
2021/06/15 19:22:26 ERROR : : error listing: EOF
2021/06/15 19:22:26 DEBUG : 2 go routines active
2021/06/15 19:22:26 Failed to lsf with 2 errors: last error was: error in ListJSON: EOF
2

Is your server ProFTP?

You can disable the session reuse by setting "TLS No Session Reuse Required"

1 Like
3

I use vsftpd. I added the configuration option require_ssl_reuse=NO, and it worked. Thank you.

As I understand it would be more secure if the session reuse was working, so I would really appreciate it if the feature could be added in the future versions (perhaps this is not the right place to request features, but maybe it will be noticed).

4

A professional golang core developer from google does not think it's undoubtly secure:

TLS session reuse in rclone is pending on this core golang ticket and on a number of open bugs in various SSL implementations, in particular OpenSSL:

Also, there is some confusion between session reuse, TLS 1.3 session resume and TLS session cache. Don't ask me, I'm myself confused. I use SFTP wherever possible if the speed is not too low.

Related to:

2 Likes
5

SFTP could be a solution, but I cannot use it for reasons I don't want to reveal :slight_smile:

6

@Kaziq
Can I ask you something?
Please find a minute, go to Issues · rclone/rclone · GitHub and create a formal request for Explicit FTP with TLS session reuse. Copy-paste issue template items from above.
I will copy-paste references and mark as "waiting for upstream" so I don't loose it later.
This is for my own and the rclone community memory.

Thank you

7

Done.

1 Like
8

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.